July 2014

July 31, 2014

The Brits traditionally sent convicts to Australia - and apparently, some are true to their genes. DFI News published a link to a fascinating story about the budding science of chatroom forensics.

Shunichi Ishihara, a senior lecturer at the Australian National University, recently gave a presentation on the infant science of chatroom forensics, now seen as a tool to use to catch pedophiles.

The way people chat online is fairly distinct. It isn't conclusive, but you can ramp up a high probability that you (or do not) have the right person. Law enforcement can compare incriminating texts or chatlogs with those known to belong to a suspect. Mind you, it isn't conclusive, but much of forensic science (handwriting, voice, etc.) is not.

If this is mysterious to you, Ishihara offers up examples from people unknowingly chatting with police officers - and points out the incriminating giveaways such as double question marks, ellipses, consistent capitalization of the first word, lack of punctuation and complete lack of capitalization.

Conclusive? No. But it can bolster a case - or suggest that the suspect is the wrong guy.

July 30, 2014

KrebsonSecurity recently revealed that three Israeli defense contractors responsible for building the "Iron Dome" missile shield were compromised by hackers between 2011 and 2012. Huge quantities of sensitive documents relating to the shield technology were breached.

According to threat intelligence firm Cyber Engineering Services Inc. (CyberESI), the hackers, thought to be operating out of China, breached the corporate networks of three top Israeli defense technology companies, including Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems.

Two of the companies did not respond to inquiries, but a spokesman for Israeli Aerospace Industries brushed off the report, calling it "old news." But was the company able to point to any media coverage of the breach? No. So apparently it is "new news."

According to CyberESI, the attack bore the hallmarks of the "Comment Crew," a prolific and state-sponsored hacking group associated with the Chinese People's Liberation Army (PLA) and credited with purloining terabytes of data from U.S. defense contractors and corporations.

It is noteworthy to me that many data breaches come to light so long after the fact, reporting and compliance obligations notwithstanding.

July 29, 2014

Once a year, I ask readers who enjoy Ride the Lightning to fill out the ABA's form (scroll to the bottom) to say a few kind words about RTL in support of having it named to the annual list of 100 best legal blogs. It takes very little time to fill out the form, so please do so if you have the inclination. And, if you do, please write and tell me so I can thank you!

It is has been a pleasure to see RTL make the list for the last several years - thanks for always being so supportive!

July 28, 2014

Darn good question. But as SC Magazine recently reported, a new report from Ponemon Institute determined that nearly a third of IT security teams never speak with their company's executives about cyber security and of those who did, 23 percent spoke to them only once per year.

This lack of communication and security awareness obviously increases companies' risk of experiencing some kind of attack. Jeff Debrosse, directory of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report said in an interview with SCMagazine.com that the "31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they're not having a conversation about insider threats, APTs, etc."

Security teams need to communicate with executives as silence on their part may well be taken to mean everything is fine when it is not. They certainly need to have a presence and be able to defend their budget requests, updating the executive team with what has changed in the world of cybersecurity, which moves very quickly indeed.

The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found that 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and that 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.

July 17, 2014

A recent post from Politico highlighted the allure that health records have for cybercriminals.

On the black market, a full identity profile contained in a single record can fetch as much as $500. You can imagine how much a big breach might be worth.

“What I think it’s going to lead to, if it hasn’t already, is an arms race between the criminal element and the people trying to protect health data,” said Robert Wah, president of the American Medical Association and chief medical officer at the health technology firm CSC. “I think the health data stewards are probably a little behind in the race. The criminal elements are incredibly sophisticated.”

Health care is the new kid on the block of the digital world, trailing banks and retailers with decades of experience in cybersecurity. Most hospitals and doctors have gone from paper to electronic health records in the space of a few years while reaping $24 billion in federal incentive money paid out under the 2009 Health Information Technology for Economic and Clinical Health Act.

One peek into our future may have been a three day event when hackers using a Chinese IP address infiltrated the St. Joseph Health System in Bryan, Texas, and exposed the information of 405,000 individuals, gaining names, address, Social Security numbers, dates of birth and other information.

It was the third-largest health data breach tracked by the federal government.

While a stolen credit card or Social Security number is worth one dollar or less on the black market, a person’s medical information can yield far more, according to the World Privacy Forum. Thieves want to hack the data to gain access to health insurance, prescription drugs or just a person’s financial information.

A credit card can be canceled within hours of its theft, but information in a patient’s health record is impossible to undo. The record contains financial records, personal information, medical history, family contacts — enough information to build a full identity.

The Identify Theft Resource Center — which has identified 353 breaches in 2014 across industries it tracks, says almost half occurred in the health sector. Criminal attacks on health data have doubled since 2000, according to the Ponemon Institute, an industry leader in data security.

The FBI has said that the health care industry “is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely."

The annual security assessment by the Health Information Management Systems Society showed that about half of surveyed health systems reported spending 3 percent or less of their IT budgets on security. Some 54 percent of the 283 IT security professionals surveyed had tested a data breach response plan, and slightly more than half of hospitals had an IT leader in charge of securing patient data.

Nearly 1.84 million people have been victims of medical identity theft, according to a Ponemon report released last year, including 313,000 victims in 2013 — a 19 percent jump from the previous year.

The reluctance of the health care industry to spend serious money on cybersecurity may have grave consequences for patients. Time to up the game.

July 16, 2014

I can't even think how many years ago it was that we read a study saying that there was an average of seven keystroke loggers on the typical public computer, including hotel business center computers.

But the government has made the story new again and it has traveled the Internet courtesy of Brian Krebs in his Krebs On Securityblog. As Krebs reported, the U.S. Secret Service has sent a non-public advisory to companies in the hospitality industry to inspect computers made available to guests in hotel business centers, warning that crooks have been compromising hotel business center PCs with keystroke-logging malware in order to steal personal and financial data from guests.

These days, it is easy enough to bring your own secure computing environment. In a pinch, if you want to look up sporting event scores, have at it. But doing anything financial or accessing a company network on any public computer (including those in libraries, in cybercafés and on cruise ships) is just plain dumb. There is no way for you to know if the computers are compromised.

July 15, 2014

The Washington Postreported last week that there had been a breach of the computer networks of the Office of Personnel Management, which stores detailed data on up to 5 million U.S. government employees and contractors who hold sensitive security clearances.

Authorities have traced the intrusion to China, but investigators don't yet know whether the attackers worked for the Chinese government. Our government said that the data is encrypted and that no personal data appears to have been stolen.

While I am rarely comforted by government reassurances, I am pleased that the OPM and the Department of Homeland Security were alerted to the breach in mid-March through an automated monitoring system. The intrusion was detected early enough that a DHS computer emergency readiness team, working with the agency, was able to block the intruder and minimize the harm.

However, as many commentators have noted, some kinds of encryption have been compromised and others will be compromised. The very idea that the Chinese may get, through whatever means, detailed information about those who hold security clearances is unnerving. Simply breaking encryption schemes is of concern, but so is the idea that the information gleaned could lead to sophisticated spearphishing or other attacks which, if successful, could lead to the possibility of access to highly secured networks.

It does seem like cyberwarfare was declared by many governments long ago - and they have no more clue about how to stop it than they once did about halting the progress of the atomic bomb. Yet again, we are (you must forgive the phrase) riding the lightning.

July 14, 2014

How many people have sold or given away their Android phones, carefully resetting them in the mistaken notion that doing so removed all their personal data? The answer is, probably a lot. And we thought the same thing, that resetting wiped all the data.

So we were truly surprised to read about a report from mobile security firm Avast saying that it was able to recover private photos, contacts, owner identities and more using common tools that any hacker might possess. Ugh indeed.

Avast didn't have to resort to much magic to recover the data from the phones it acquired and imaged. One free tool it used was FTK Imager, which is very widely used and publicly available.

As is so often true, the company who brought the danger to light also makes a free tool to ensure your personal data is wiped. Avast! Anti-Theft may be found in the Google Play Store. There are several alternative apps that will wipe an Android mobile phone. These include Nuke My Device, Cerberus anti theft, and the premium version of GFI's Vipre Mobile.

July 10, 2014

Who knew that dogs could sniff out hard drives? Thoreau, a fitting name for a classy golden retriever, assists investigators in Rhode Island. He has a pretty sweet job - he sniffs out technology and his handlers give him food. All retrievers will work for food, as anyone who has ever owned one knows.

Thoreau can sniff out all kinds of hidden electronics, including a thumb drive encased in a tin hidden in a metal cabinet or a hard drive sealed inside a plastic bag in the upper shelf of a desk.

Thoreau had his first real-life case last month in Providence when he pinpointed a thumb drive containing child porn hidden four layers deep in a tin box inside a metal cabinet. Of course, he has no idea about content, but if law enforcement has sufficient probable cause to get a search warrant, Thoreau sure can find any tech device with memory and help build a case.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.